More on medium trust: what permission are you missing?

Friday, December 4, 2009

Yesterday, I asked some questions about your usage of medium trust. Thank you all for the great answers and comments (but don’t read too much into that, I’m just playing with stuff). If you haven’t answered yet, feel free to do so.

Now I have an additional question:

What missing permission is preventing you from running in medium trust?

Please answer in comments. And thanks again for the great feedback.

12 Comments

Binary Serialization / Reflection
System.Diagnostics (Tracing)
Custom Configuration (workarounds are available, tho)

joelvarty - Friday, December 4, 2009 7:24:18 PM

Custom Configuration
ASP.NET Charting (although 4.0 fixes this)
Reflection Permission
Web Permission

aroberts - Friday, December 4, 2009 9:20:49 PM

MySql.Data is not working in medium trust...

i think it requires some web permission.

Krunal - Saturday, December 5, 2009 8:26:56 AM

OleDbPermission

madhanlal - Monday, December 7, 2009 6:49:06 AM

I agree about ReflectionPermission (with the RestrictedMemberAccess flag) and WebPermission. Those will be very useful.

Tsvetomir Tsonev - Monday, December 7, 2009 11:44:33 AM

We require full trust because we use the BinaryFormatter.

Mark Hildreth - Monday, December 7, 2009 2:30:53 PM

It might be easier to just ask what needs to be tightened in full trust to make it a reasonably secure default.

The answer is --Not much.

Full trust is reasonably secure already. Shops that REALLY care to tighten security will likely use a custom policy anyway.

The big things full trust can do to make it more secure without breaking too much stuff is:

Take away EventLog
Restict IO to the virtual directory
Take away registry access

There just seems to be little point in pre-defining more than one "default" policy. Make a single default that is as secure as possible without breaking "normal" or "common" things web apps are likely to need.

For anything else, just make it easier for admins and developers to create and manage custom policies and do away with the other pre-defined levels.

Stephen M. Redd - Monday, December 7, 2009 8:38:01 PM

UnmanagedCode permission. Exports to pdf from every single reporting product requires this ..

Steve - Monday, December 7, 2009 8:42:40 PM

At Kooboo, we have to ask user to add the reflection permission and ability to create and manipulate an appdomain.

And due to a MS bug, we have to add "UnmanagedCode" flag to SecurityPermission.

See trust level section at: http://www.kooboo.com/detail/kooboo12_installation_guide

Vincent - Tuesday, December 8, 2009 8:44:10 AM

Encryption and Decryption are not allowed

Devesh - Tuesday, December 8, 2009 9:51:41 AM

Steve said:
UnmanagedCode permission. Exports to pdf from every single reporting product requires this ..

I'm using SSRS to generate a PDF and I don't need UnmanagedCode permission.

Tim - Tuesday, December 8, 2009 9:25:38 PM

ReflectionPermission

My commercial web controls have optional features that use reflection. It impacts about 1% of my customers.

plblum - Thursday, December 17, 2009 3:23:04 PM

Comments have been disabled for this content.